Advice for OPM Breach Victims

The following post has been transmitted by the Federal Law Enforcement Officers Association (think, the “special agents’ union” and you’re pretty close) to their members. It gives advice that is useful to anyone who’s been victimized by the allegedly-Chinese hack of the all-but-unsecured  computer networks of the Office of Personnel Mismanagement (OPM).

Their advice about (1) not relying on the lowest-bidder “credit monitoring” OPM contracted as damage control, and (2) taking measures on your own, is excellent across the board. If you are (or were) a government worker or cleared contractor, or even simply applied for a clearance, since approximately 1990, you may rest assured that the payroll patriots of OPM have distributed your name, date of birth, social security account number, and many other personal details (depending on level of clearance and depth of investigation) far and wide.

In response to OPM’s breach of our member’s Personal Identifying Information (PII) and release of other sensitive data, FLEOA prepared an informative bulletin to assist you and your family with taking proactive steps to prevent further abuse of your PII.
By now you should have received an email from OPM notifying you that your personal information may have been compromised. The email will come from [email protected] and it will contain information regarding credit monitoring and identity theft protection services. Ensure that the email you received from OPM is from CSID and not a phishing attempt. To do this, check the address on your email header and ensure it reads [email protected]. To be safe, launch a new window and then cut and paste [email protected] into your new web browser and follow the instructions. Don’t fall into the false sense of security that that credit monitoring will protect you. It’s a good service and certainly one you should take advantage of, but there are additional services and resources you should also consider deploying. So what else can you do to protect your identity?
First, contact one of the three credit reporting bureaus Transunion (www.transunion.com), Experian (www.experian.com) and Equifax (www.equifax.com) and report you are a victim of identity theft and request a FRAUD ALERT be placed on your record. Note: by law, you only need to contact one of the three. As soon as you place the fraud alert with one credit bureau, they have to notify the other two. Please keep in mind that a fraud alert is only valid for three (3) months and then you have to call them again and renew. A fraud alert works much the same way as credit monitoring – anytime someone queries your credit, either through a loan application or even checks your credit you are notified. There is no charge for this service.
Additionally, by law, you are entitled to receive one free credit report per year, per credit bureau. In effect, you can request 3 credit reports per year at no charge from each of the credit bureaus. FLEOA recommends that you request a new credit report every four (4) months for the next three to five years and then at least every six months for every year thereafter. If you notice an account that you or your spouse do not recognize, immediately notify the company that you are a victim of identity theft and you did not authorize the questionable account.
Another important step to consider is freezing your credit account. Unlike credit monitoring where you are simply notified of a credit query, a credit freeze will prevent anyone from using your SSN to obtain credit in your name. It also prevents anyone from reviewing your credit worthiness. The cost is $10 to freeze and another $10 to unfreeze. As with placing a fraud alert on your account, you only need to notify one of the three credit reporting bureaus. FLEOA recommends you to freeze your credit if you are not planning to purchase a car, a house or obtain credit cards in the next year or so. If you are planning on purchasing a car or house this year, you may want to consider waiting to freeze your credit until after you have completed your purchase.
Another option to consider is paying a fee for the credit bureaus to contact you via, text, email or phone anytime someone queries or uses your SSN to obtain credit. This provides instant real time feed back and allows you to respond immediately to any threat to your credit. Note: there is a fee for this service.
FLEOA also recommends you to set up a My SSA account through the Social Security Administration (http://www.ssa.gov/my account). By setting up a My SSA account, you can access your work history and yearly earnings and ensure that only the wages you earned are showing up under your SSN. This helps prevent anyone from filing SSA claims in your name and working under your SSN without you knowing about it.
For additional information on how to protect yourself and your family from identity theft, visit the Federal Trade Commission at www.ftc.gov/idtheft.
FLEOA | | [email protected] | www.fleoa.org

7945 MacArthur Blvd

Ste 201

Cabin John, MD 20818

This is a personal calamity for those involved and a national security and counterintelligence disaster, but you’ll be relieved to know that institutional Washington’s highest priorities are safe: that would be the 7% annual performance bonuses for the OPM Senior Executive Service members and other senior managers who presided over this cluster$&@%.


11 thoughts on “Advice for OPM Breach Victims

  1. Tim, ’80s Mech Guy

    Someone mentioned this was a “Pearl Harbor Level Breach” sounds about right. If you applied for a clearance consider yourself compromised. Still they say nobody is at fault and no heads will roll.

    Epic Fail is now the only level of performance we can expect from the G.


  2. Boat Guy

    Good advice.

    OF COURSE no “heads will roll” – nobody’s even gonna lose their bonus, much less their six-figure position. I’d be pretty cool with literal decapitation since I’m one of the folks whose lives are now in Chinese hands (and apparently HAVE BEEN for the better part of a YEAR).

    I dumped the OPM email as soon as I got it. I’m not gonna expect the numbskulls who allowed this breach to “protect” me from its consequences. Screw me once…


  3. Jim Scrummy

    Thank you! Good nuggets of advice from FLEOA. No, I do not trust ANYTHING from OPM, especially the lowest bid credit monitoring service being provided for a whole 18 months. Just for kicks, my OPM letter read the freebie service expires on…December 7, 2016. Well on the Brightside, this just highlights all the useless box checking I’ve had to do for DoD computer “Cybertraining”. Good times, good times. Hardly.


  4. Miles

    Interesting point:

    No one at my former unit has received any information or guidance about all this. This was straight from my squadron NCOIC’s of Security & HR. Their advice was similar to FLOEA’s, and they did say if they heard anything, they’d contact me.

    My supervisor said he had heard that a couple of acquaintances from other agencies had received letters.

    Everybody, however, did say that any Email contact was to be considered suspect.


  5. Pathfinder

    So if I haven’t received an e-mail I am supposed to believe that my information hasn’t been compromised?


  6. Raoul Duke

    Thanks for this. I forwarded the information to several friends with current or recent security clearances.

    By the way, don’t answer any calls from Chinese hookers. Just sayin’. 🙂


  7. Darkwater

    I’m an old timer and filled out the handwritten SF-86 (before1990), therefore I don’t expect to receive the warning message, based on what I’ve been told. But if you think that I feel safe from compromise from the Chinese or anyone else, you’re sadly mistaken.